A part of OS 7.1.0 is migration from iptables to nftables. It broke some my utilities running in docker container on this mox (Deconz utility to control Zigbee devices). What is not working is the masquerading for which docker utilizes automatically generated iptables rules.
From my observation, the first leg of masquerading (DNAT) works, the incomming SYN request to the docker-running server is delivered to the appropriate docker container address and port. However the second leg - mapping the response back to original address fails - the ACK from the server keeps its docker-assigned address and port and therefor not accepted by the caller as not relevant to this communication.
In the example bellow is a snapshot captured on a router between the client and the MOX hosting the docker. 192.168.70.3 is an external client, initiating http connection to the docker, listenning at 192.168.68.39:8448. 172.17.0.2:443 is the docker assigned internal container address and port where deconz listens to requests.
tcpdump -vi br-lan host 192.168.70.3
tcpdump: listening on br-lan, link-type EN10MB (Ethernet), snapshot length 162144 bytes
13:59:13.444004 IP (tos 0x0, ttl 63, id 6383, offset 0, flags [DF], proto TCP (6), length 60)
192.168.70.3.45972 > 192.168.68.39.8443: Flags [S], cksum 0x1115 (correct), seq 1851338979, win 64860, options [mss 1380,sackOK,TS val 3782334756 ecr 0,nop,wscale 7], length 0
13:59:13.444410 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
172.17.0.2.443 > 192.168.70.3.45972: Flags [R.], cksum 0xa884 (correct), seq 0, ack 1851338980, win 0, length 0
I found a various workarounds but I am looking for a solution compatible with the rest of MOX functions (Sentinel, …).